Define event types in Splunk Web

An event type represents a search that returns a specific type of event or a useful collection of events. Every event that can be returned by that search gets an association with that event type. For example, say you have this search:

sourcetype=access_combined status=200 action=purchase

If you save that search as an event type named successful_purchase, any event that could be returned by that search gets eventtype=successful_purchase added to it at search time. This happens even if you are searching for something completely different.

And later, if you want to build a search that works with events that match that event type, include eventtype=successful_purchase in the search string.

A single event can match multiple event types. When an event matches two or more event types, eventtype acts as a multivalue field.

Save a search you ran as an event type

When you run a search, you can save that search as an event type. Event types usually represent searches that return a specific type of event, or that return a useful variety of events.

When you create an event type, the event type definition is added to eventtypes.conf in $SPLUNK_HOME/etc/users/<your-username>/<app>/local/, where <app> is your current app context. If you change the permissions on the event type to make it available to all users (either in the app, or globally to all apps), the Splunk platform moves the event type to $SPLUNK_HOME/etc/apps/<App>/local/.

You can apply the same tag to event types that produce similar results. A search that is just on that tag returns the set of events that collectively belong to those event types.

(Optional) Select a Color.

This causes a band of color to appear at the start of the listing for any event that fits this event type. For example, this event matches an event type that has a Color of Purple.
You can change the color of an event type (or remove its color entirely) by editing it in Settings.

(Optional) Give the event type a Priority.

Priority affects the display of events that match two or more event types. 1 is the best Priority and 10 is the worst.
See About event type priorities.

Click Save to save the new event type.

You can access the list of event types that you and other users have created at Settings > Event types.

Any event type that you create with this method also appears on the Event Types listing page in Settings. You can update the event type in the Event Types listing page.

Event Types page in Settings

The Event Types page in Settings displays a list of the event types that you have permission to view or edit. You can use the Event Types page to create event types and maintain existing event types.

You can apply the same tag to event types that produce similar results. A search that is just on that tag returns the set of events that collectively belong to those event types.

(Optional) Select a Color.

This causes a band of color to appear at the start of the listing for any event that fits this event type.

(Optional) Give the event type a Priority.

Priority affects the display of events that match two or more event types. 1 is the best Priority and 10 is the worst.

Priority determines the order of the event type listing in the expanded event. It also determines which color displays for the event type if two or more of the event types matching the event have a defined Color value.
For more see About event type priorities.

Click Save to save the event type.

Note: All event types are initially created for a specific Splunk app. To make a particular event type available to all users on a global basis, you have to give all roles read or write access to the Splunk app and make it available to all Splunk apps. For more information about setting permissions for event types (and other knowledge object types), see Manage knowledge object permissions, in this manual.

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »